In a media statement, sent to Cryptovest by Andrew Tierney, a.k.a. Cybergibbons, the group claims it had been able to “backdoor” the Bitfi wallet.
Before we move on to the detailed statement, we must clarify that the people working on the Bitfi wallet attack were not employees of Pen Test Partners. Our perception that PTP was doing the brunt of the work on the wallet came mostly from the fact that most of the tweets we saw came from Tierney, who works for PTP as a security consultant, and the fact that there were published articles in the company’s blog that referred to these efforts.
However, Tierney was part of a larger group of individuals who worked on challenging Bitfi’s claims of making an unhackable wallet, including:
Its name THCMKACGASSCO is an abbreviation for “The Hacker Collective Mistakenly Known As Cyber Gibbons, Also Sometimes Somehow Called OverSoft”.
The statements starts with a summary:
“We have developed a practical attack against the Bitfi wallet, allowing us to ‘backdoor’ the device to send the phrase and seed to a remote server. Someone with access to the device - either in the supply chain, or once possessed by the user - can carry out this attack. The bounty set by Bitfi is a marketing ploy which we are not taking part in.”
This is followed by a response to Bitfi’s definition of “unhackable”.
“The only definition of ‘unhackable’ we accept is that the device cannot be hacked and will not ever be hacked by any means. ‘Hacked’ means that the user’s seed and phrase (or equivalent private keys) are exposed, placing stored funds at risk. Bitfi keep on trying to redefine this as ‘not having claimed the first bounty.’ The bounty covers attacking the device under a specific set of conditions: setting a strong passphrase, turning off the device, and sending it via courier. This is not a realistic threat model and ignores malware, compromised networks, evil maid, and supply chain tampering. For this reason, we are not participating in the bounty: It is a marketing ploy.”
Not only did THCMKACGASSCO refuse to further participate in the bounty but also cut off communicating with Bitfi after what has been perceived by the community at large as threatening language from the company in some of its tweets, including one in which an employee of the company said that “deception that [they] deliberately spread about Bitfi can have consequences”.
The statement continues with a response to this:
“We are not collaborating or communicating with Bitfi due to their communications on Twitter and via other media. They have sent Twitter threats to researchers warning of ‘consequences’. Several sock-puppet Twitter accounts have been set up, all linked back to the email address [email protected], making ad-hominem attacks against researchers. This suggests it is the CEO of Bitfi, Daniel Khesin.”
When we asked Tierney for clarification regarding what he called “deceptive behavior” from Bitfi, he pointed out that at least three Twitter accounts posing as customers sent the group angry messages. One of these accounts appeared associated with the CEO of Bitfi.
Although the “da****@b****.***” email suggestion in the password reset page doesn’t definitively prove that this could be an account associated with Daniel Khesin, an analysis of the mannerisms provided by Ryan Castellucci seems to suggest that the account might belong to him.
Another account we saw used to be a totally different person, but suddenly became a crypto-related account that vigorously defended Bitfi’s wallet.
Deeper in the thread we can see a Twitter user posting a screenshot from Google’s cache of what the account used to look like. It used to belong to someone who posted messages about romance.
Returning to the statement, it concludes with evidence of an evil maid attack executed on the Bitfi device and evidence of the transaction on the public blockchain:
“We have been able to ‘backdoor’ the Bitfi wallet. When the phrase and seed are entered into the device, they will be sent to a remote server. With the phrase and seed, we have access to the user’s funds. The wallet continues to operate as normal, and there are no mechanisms for the user to detect this tampering. This is demonstrated in this video:”
“The transaction made here is visible on the blockchain. It is shown as being relayed from the bitfi.com server.”
The statement includes a link to the raw values involved in the transaction.
“@cybergibbons, @spudowiar, @ryancdotorg, @OverSoftNL, @ProfWoodward have all observed this attack. We have long track records of finding and reporting vulnerabilities and are trusted by the security community and media. We have no reason to fabricate such an attack. The attack can be demonstrated to [the] media,” the statement concludes.
During our interview with Bill Powell from Bitfi, he mentioned that the hackers did not send a device over for the company to analyze and fix.
“I cannot see that on the terms [for the bounty]. Very specifically they do say ‘This bounty program is not intended to help Bitfi to identify security vulnerabilities since we already claim that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks’,” Tierney replied.
After we asked him whether Bitfi has attempted to come forward and make amends, he also mentioned that “every communication I have had or seen with Bitfi has come back to deceptive behavior. We have tried speaking via @QuantusTecSol and he is more reasonable but I do not think messages are getting through to Daniel.”
Tierney also pointed out that there was one “in-depth review” written by an author who did not even possess the device at the time of writing.
We appreciate the effort that Andrew Tierney underwent in informing us and clarifying the situation from his side of the aisle. We continue to be open to any responses that Bitfi or John McAfee wish to provide.